KathyM said:
Hi,
I was shocked to find out that if I send out an email to several of my
clients using BCC for everyone (for confidentiality reasons) that if
one of
the recipients wants to reply to the message that if they accidentally
choose
Reply to All that it displays ALL of the message recipients including
the BCC
ones.
I'm using Outlook 2003 is this a "new feature" or a HUGE SECURITY
ISSUE?????? Is there a way to fix this?? or a workaround?
Kathy
The recipient of your Bcc'ed message never got the list of recipients.
In fact, the recipient doesn't even get his own e-mail address in the
Bcc header because the Bcc header is not included (it was never sent by
your e-mail client to your mail server so it obviously never gets
received by your recipients).
When you specify multiple recipients in the To, Cc, and Bcc fields in
your e-mail clients, those fields are NOT used to route the copy of your
message. Your e-mail client generates an aggregate list of all
recipients listed in the To, Cc, and Bcc fields and issues a RCPT TO
command to your mail server for each recipient. If, for example, you
had 5 recipients in the To field, 3 in the Cc field, and 4 in the Bcc
field, your e-mail client would send twelve RCPT TO command to your mail
server. Your mail server has no way of knowing which RCPT TO commands
were for recipients in which field within your e-mail application. Then
your e-mail client with a single DATA command that contains the data of
your message (headers added by your e-mail client and the body of the
message). So you end up sending N rcpt-to commands and one data command
to send the message. At no time did your e-mail client differentiate in
the RCPT TO commands which recipients were specified within the Bcc
field (which is just a field in the window presented to you and is not
used when routing your message).
The recipient never sees what commands your e-mail client sent to your
mail server so the recipient never knows what targets were specified in
all the RCPT TO commands. The recipient never knows who the actual
recipients were. All they know is what your e-mail client put in its
headers that were included within the *data* that it sent in the DATA
command. The To, Cc, Bcc, Reply-To, Subject, and other headers are
optional; i.e., they may appear zero or one times max. The only way the
recipient would know how to differentiate which recipients were
specified and which were in which field is if YOUR e-mail client
included those headers. So if your e-mail client includes the Bcc
header (as data) than it is YOUR e-mail client that is violating the
implied security of specifying recipients in the Bcc header. Some mail
servers will look for the Bcc header and strip it out but that is not a
requirement. So if your e-mail client stupidly included the Bcc data
and if your mail server didn't strip it out and if the recipient's mail
server didn't strip it out then, yes, the recipient will see the other
recipients listed in that Bcc data field.
However, when YOU resend your own e-mails that specified Bcc'ed
recipients, your e-mail client still knows all recipients specified in
all fields since those fields are part of that item's recorded values in
your local message store; i.e., obviously your own e-mail client would
know to whom it would've sent the message. In Outlook, you can review
the Bcc recipients by double-clicking the mail item in the Sent Items
folder so it appears in its own window to see all the fields that got
used, including the Bcc field. Remember that fields within your e-mail
client are NOT the same as the headers that your e-mail client included
in the data sent in the DATA command and will never show the content of
the RCPT TO commands.
You obviously don't need to hide the list of recipients for an e-mail
that YOU sent. The recipients will only get the optional Bcc header if
and only if YOUR e-mail client put it in the data sent during the DATA
command. So YOUR e-mail client would have to commit the ****up. Since
you are asking in an Outlook newsgroup, Outlook does not include the Bcc
header in its data sent during the DATA command.
As a test, and if you have 3 POP3 accounts, send yourself a test e-mail
from account-A to your account-B and account-C. If you don't have 3
POP3 accounts, use a couple freebie accounts at Yahoo or Hotmail
(because they have an option to view full headers although Yahoo is
easier with a toggle option per mail whereas Hotmail makes it a global
option applied against all mails). When sending from account-A, put
account-B in the To field and account-C in the Bcc field. Send the
test e-mail. Then use Outlook Express (and NOT Outlook) or use the
webmail interface to account-B, if they have one (and it lets you see
full headers), to view that test e-mail. Now look at the raw data for
the message and you won't find your account-C's e-mail address anywhere.
So you cannot Reply to that e-mail and include account-C because
account-C is nowhere mentioned in the headers.
You said, "If I receive an email and I am a BCC recipient and I choose
reply to all. It will add everyone to the list of recipients including
the Sender, To and CC people, not other BCC recipients." So Bcc is
working as designed. Since none of the Bcc recipients are listed in any
headers in the e-mail that you received, "not other BCC recipients" is
appropriate because they are unknown to you in your copy of the e-mail.
Reply-to-All includes everyone else (i.e., all known recipients). If
you don't want the reply going to yourself (if you were in the To, Cc,
Sender, Reply-To fields) then remove it. The e-mail client won't know
that you don't want a copy of the reply sent to yourself. If you never
want to get messages to yourself that you sent and you don't want to
bother editing the To or Cc fields then define a rule that deletes
e-mails from you sent to you (I already have a rule like this because
sometime spammers want to pretend that you send yourself e-mails; i.e.,
they list your e-mail address in both the From and To headers).